detection.wiki

Detection rules › Sublime MQL

Canva design with suspicious embedded link

Severity
high
Type
rule
Source
github.com/sublime-security/sublime-rules

Detects when a Canva design contains links to suspicious domains or credential harvesting sites. The rule examines embedded scripts within Canva documents for suspicious URLs and analyzes link text for malicious intent.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesEvasion, Social engineering, Free file host

Event coverage

Message attribute
body
body.links (collection)
type

Rule body MQL

type.inbound
and any(body.links,
        .href_url.domain.root_domain == "canva.com"
        and strings.starts_with(.href_url.path, "/design/")
        and any(html.xpath(ml.link_analysis(.).final_dom,
                           "/html/body/script[2]"
                ).nodes,
                any(regex.iextract(.raw,
                                   '\"[A-Z]\":{[^\}]+\"[a-z]\":\"(?P<display_text>[^\"]+)\"},\"[a-z]\":{[^\}]+"[a-z]":"(?<url>https:\/\/[^\s"'')\]}]+)\"'
                    ),
                    strings.parse_url(.named_groups["url"]).domain.root_domain not in (
                      "canva.com",
                      "sentry.io",
                      "googleusercontent.com"
                    )
                    and (
                      any(ml.nlu_classifier(.named_groups['display_text']).intents,
                          .name == "cred_theft"
                      )
                      or strings.parse_url(.named_groups["url"]).domain.tld in $suspicious_tlds
                      or strings.parse_url(.named_groups["url"]).domain.domain in $free_subdomain_hosts
                      or strings.parse_url(.named_groups["url"]).domain.root_domain in $free_subdomain_hosts
                      or ml.link_analysis(strings.parse_url(.named_groups["url"]
                                          )
                      ).credphish.disposition == "phishing"
                    )
                )
                // parse out links using file.explode
                or any(file.explode(.),
                       any(filter(.scan.url.urls,
                                  .domain.root_domain not in (
                                    "canva.com",
                                    "sentry.io",
                                    "googleusercontent.com"
                                  )
                           ),
                           .domain.tld in $suspicious_tlds
                           or .domain.domain in $free_subdomain_hosts
                           or .domain.root_domain in $free_subdomain_hosts
                           or ml.link_analysis(.).credphish.disposition == "phishing"
                       )
                )
        )
)
and not profile.by_sender_email().any_messages_benign

Detection logic

Scope: inbound message.

Detects when a Canva design contains links to suspicious domains or credential harvesting sites. The rule examines embedded scripts within Canva documents for suspicious URLs and analyzes link text for malicious intent.

  1. inbound message
  2. any of body.links where all hold:
    • .href_url.domain.root_domain is 'canva.com'
    • .href_url.path starts with '/design/'
    • any of html.xpath(ml.link_analysis(.).final_dom, '/html/body/script[2]').nodes where any holds:
      • any of regex.iextract(.raw) where all hold:
        • strings.parse_url(.named_groups['url']).domain.root_domain not in ('canva.com', 'sentry.io', 'googleusercontent.com')
        • any of:
          • any of ml.nlu_classifier(.named_groups['display_text']).intents where:
            • .name is 'cred_theft'
          • strings.parse_url(.named_groups['url']).domain.tld in $suspicious_tlds
          • strings.parse_url(.named_groups['url']).domain.domain in $free_subdomain_hosts
          • strings.parse_url(.named_groups['url']).domain.root_domain in $free_subdomain_hosts
          • ml.link_analysis(strings.parse_url(.named_groups['url'])).credphish.disposition is 'phishing'
      • any of file.explode(.) where:
        • any of filter(.scan.url.urls) where any holds:
          • .domain.tld in $suspicious_tlds
          • .domain.domain in $free_subdomain_hosts
          • .domain.root_domain in $free_subdomain_hosts
          • ml.link_analysis(.).credphish.disposition is 'phishing'
  3. not:
    • profile.by_sender_email().any_messages_benign

Inspects: body.links, body.links[].href_url.domain.root_domain, body.links[].href_url.path, type.inbound. Sensors: file.explode, html.xpath, ml.link_analysis, ml.nlu_classifier, profile.by_sender_email, regex.iextract, strings.parse_url, strings.starts_with. Reference lists: $free_subdomain_hosts, $suspicious_tlds.

Indicators matched (7)

FieldMatchValue
body.links[].href_url.domain.root_domainequalscanva.com
strings.starts_withprefix/design/
regex.iextractregex\"[A-Z]\":{[^\}]+\"[a-z]\":\"(?P<display_text>[^\"]+)\"},\"[a-z]\":{[^\}]+"[a-z]":"(?<url>https:\/\/[^\s"')\]}]+)\"
ml.nlu_classifier(regex.iextract(html.xpath(ml.link_analysis(body.links[]).final_dom, '/html/body/script[2]').nodes[].raw)[].named_groups['display_text']).intents[].nameequalscred_theft
file.explode(html.xpath(ml.link_analysis(body.links[]).final_dom, '/html/body/script[2]').nodes[])[].scan.url.urls[].domain.root_domainmembercanva.com
file.explode(html.xpath(ml.link_analysis(body.links[]).final_dom, '/html/body/script[2]').nodes[])[].scan.url.urls[].domain.root_domainmembersentry.io
file.explode(html.xpath(ml.link_analysis(body.links[]).final_dom, '/html/body/script[2]').nodes[])[].scan.url.urls[].domain.root_domainmembergoogleusercontent.com